Syntax
arp anti-attack valid-check enable
undo arp anti-attack valid-check enable
View
System view
Parameters
None
Description
Use the arp anti-attack valid-check
enable command to enable ARP source MAC address consistency check.
Use the undo arp anti-attack valid-check
enable command to disable this function.
By default, ARP source MAC address
consistency check is disabled.
Examples
# Enable ARP source MAC address consistency
check.
<sysname> system-view
[sysname] arp anti-attack valid-check
enable
Syntax
arp check enable
undo arp check enable
View
System view
Parameters
None
Description
Use the arp check enable command to
enable the ARP entry checking function on a switch.
Use the undo arp check enable
command to disable the ARP entry checking function.
With the ARP entry checking function
enabled, the switch cannot learn any ARP entry with a multicast
MAC address. Configuring such a static ARP entry is not allowed either;
otherwise, the system prompts error information.
After the ARP entry checking function is
disabled, the switch can learn the ARP entry with a multicast MAC address, and you
can also configure such a static ARP entry on the switch.
By default, the ARP entry checking function
is enabled.
Examples
# Disable the ARP entry checking function.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] undo arp check enable
Syntax
arp detection enable
undo arp detection enable
View
VLAN view
Parameters
None
Description
Use the arp detection enable command
to enable the ARP attack detection function on all ports in the specified VLAN.
When receiving an ARP packet from a port in this VLAN, the switch will check
the source IP address, source MAC address, number of the receiving port, and
the VLAN of the port. If the mapping of the source IP address and source MAC
address is not included in the DHCP snooping entries or IP static binding
entries, or the number of the receiving port and the VLAN of the port do not
match the DHCP snooping entries or IP static binding entries, the ARP packet
will be discarded.
Use the undo arp detection enable command
to disable the ARP attack detection function on all ports in the specified
VLAN.
By default, ARP attack detection is
disabled on the switch.
Examples
# Enable ARP attack detection on all ports
in VLAN 1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] vlan 1
[Sysname-vlan1] arp detection enable
Syntax
arp detection trust
undo arp detection trust
View
Ethernet port view
Parameters
None
Description
Use the arp detection trust command
to specify the current port as a trusted port, that is, ARP packets received on
this port are regarded as legal ARP packets and will not be checked.
Use the undo arp detection trust command
to specify the current port as an untrusted port in ARP detection.
By default, a port is an untrusted port in
ARP detection.
Examples
# Specify Ethernet 1/0/11 as the trusted
port in ARP detection.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Ethernet 1/0/11
[Sysname-Ethernet1/0/11] arp
detection trust
Syntax
arp protective-down recover enable
undo arp protective-down recover enable
View
System view
Parameters
None
Description
Use the arp protective-down recover
enable command to enable the port state auto-recovery function on the
switch.
Use the undo arp protective-down recover
enable command to disable the port state auto-recovery function of a
switch.
With this function enabled, the switch can
automatically bring up a port that has been shut down due to an excessive ARP
packet receiving rate after a specified period.
By default, the port state auto-recovery
function is disabled.
Examples
# Enable the port state auto-recovery
function of the switch.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] arp protective-down recover
enable
Syntax
arp protective-down recover interval interval
undo arp protective-down recover interval
View
System view
Parameters
interval:
Recovery time (in seconds) of a port which is shut down due to an excessive ARP
packet receiving rate. The effective range is 10 to 86,400.
Description
Use the arp protective-down
recover interval command to specify a recovery interval. After the
interval, a port that has been shut down due to an excessive ARP packet
receiving rate will be brought up.
Use the undo arp protective-down recover
interval command to restore the default.
By default, when the port state
auto-recovery function is enabled, the recovery interval is 300 seconds.
Note that:
l
You need to enable the port state auto-recovery
feature before you can configure the auto-recovery interval.
l
If you use the arp protective-down recover
interval command to modify the recovery time when the current port
has been already shut down due to an excessive ARP packet receiving rate, the
previously configured interval applies to the first port state recovery.
Starting from the next state recovery, the new recovery interval will take
effect.
Examples
# Set the auto-recovery interval to 30
seconds.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] arp protective-down recover
enable
[Sysname] arp protective-down recover
interval 30
Syntax
arp rate-limit rate
undo arp rate-limit
View
Ethernet port view
Parameters
rate:
Maximum ARP packet receiving rate on the port, in the range of 10 to 1,024 pps.
Description
Use the arp rate-limit command to
specify the maximum ARP packet receiving rate on the port. If a rate is
specified, exceeding packets will be discarded.
Use the undo arp rate-limit
command to restore the default.
By default, after a port is enabled with the
ARP packet rate limit function, the maximum ARP packet receiving rate on the port
is 15 pps.
Note that: You must enable the ARP packet
rate limit function before you can specify the maximum ARP packet receiving rate
on the port by using the arp rate-limit command.
Examples
# Set the maximum ARP packet receiving rate
on Ethernet 1/0/11 to 100 pps.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface ethernet 1/0/11
[Sysname-Ethernet1/0/11] arp rate-limit
enable
[Sysname-Ethernet1/0/11] arp
rate-limit 100
Syntax
arp rate-limit enable
undo arp rate-limit enable
View
Ethernet port view
Parameters
None
Description
Use the arp rate-limit enable
command to enable the ARP packet rate limit function on the port, that is, to
limit the rate of ARP packets passing through the port. If a rate (the maximum ARP
packet rate is 15 pps by default) is specified, exceeding ARP packets will be
discarded.
Use the undo arp rate-limit
enable command to disable the ARP packet rate limit function on the port.
By default, the ARP packet rate limit
function is disabled, that is, ARP packet rate is not limited on a port.
Examples
# Enable the ARP packet rate limit function
on Ethernet 1/0/11.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Ethernet 1/0/11
[Sysname-Ethernet1/0/11] arp
rate-limit enable
Syntax
arp restricted-forwarding enable
undo arp restricted-forwarding enable
View
VLAN view
Parameters
None
Description
Use the arp restricted-forwarding enable
command to enable ARP restricted forwarding so that the legal ARP requests
received from the specified VLAN are forwarded through configured trusted ports
only, and the legal ARP responses are forwarded according to the MAC addresses
in the packets, or through trusted ports if the MAC address table contains no
such destination MAC addresses.
Use the undo arp restricted-forwarding
enable command to disable ARP restricted forwarding.
By default, ARP restricted forwarding is
disabled.
Related commands: arp detection enable,
arp detection trust
Syntax
# Enable ARP restricted forwarding in VLAN
1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] vlan 1
[Sysname-vlan1] arp
restricted-forwarding enable
Syntax
arp static ip-address mac-address [ vlan-id
interface-type interface-number ]
arp static ip-address mac-address vlan-id (in
Ethernet port view)
undo arp ip-address
View
System view, Ethernet port view
Parameters
ip-address:
IP address contained in the ARP mapping entry to be created/removed.
mac-address:
MAC address contained in the ARP mapping entry to be created, in the format of
H-H-H.
vlan-id: ID
of the VLAN to which the static ARP entry belongs, in the range of 1 to 4,094.
interface-type: Type of the port to which the static ARP entry belongs.
interface-number: Number of the port to which the static ARP entry belongs.
Description
Use the arp static command to create
a static ARP entry.
Use the undo arp command to remove
an ARP entry.
By default, the system ARP mapping table is
empty and the address mapping entries are obtained by ARP dynamically.
Note that:
l
Static ARP entries are valid as long as the
Ethernet switch operates normally. But some operations, such as removing a
VLAN, or removing a port from a VLAN, will make the corresponding ARP entries
invalid and therefore removed automatically.
l
As for the arp static command, the value
of the vlan-id argument must be the ID of an existing VLAN, and the port
identified by the interface-type and interface-number arguments
must belong to the VLAN.
l
Currently, static ARP entries cannot be
configured on the ports of an aggregation group.
Related commands: reset arp, display
arp.
Examples
# Create a static ARP mapping entry, with
the IP address of 202.38.10.2, the MAC address of 000f-e20f-0000. The ARP
mapping entry belongs to Ethernet 1/0/1 which belongs to VLAN 1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] arp static 202.38.10.2 000f-e20f-0000 1 Ethernet 1/0/1
Syntax
arp timer aging aging-time
undo arp timer aging
View
System view
Parameters
aging-time:
Aging time (in minutes) of the dynamic ARP entries. This argument ranges from 1
to 1,440.
Description
Use the arp timer aging command to
configure the aging time for dynamic ARP entries.
Use the undo arp timer aging command
to restore the default.
By default, the aging time for dynamic ARP
entries is 20 minutes.
Related commands: display arp timer
aging.
Examples
# Configure
the aging time to be 10 minutes for dynamic ARP entries.
<Sysname>
system-view
System
View: return to User View with Ctrl+Z.
[Sysname]
arp timer aging 10
1.1.12 display arp
Syntax
display arp
[ dynamic | static | ip-address ]
View
Any view
Parameters
dynamic:
Displays dynamic ARP entries.
static:
Displays static ARP entries.
ip-address:
IP address. ARP entries containing the IP address are to be displayed.
Description
Use the display arp command to
display specific ARP entries.
If you execute this command with no
keyword/argument specified, all the ARP entries are displayed.
Related commands: arp static, reset
arp.
Examples
# Display all the ARP entries.
<Sysname> display arp
Type: S-Static
D-Dynamic
IP Address MAC Address VLAN
ID Port Name / AL ID Aging Type
10.2.72.162 000a-000a-0aaa
N/A N/A N/A S
192.168.0.77 0000-e8f5-6a4a
1 Ethernet1/0/2 13 D
192.168.0.2 000d-88f8-4e88
1 Ethernet1/0/2 14 D
192.168.0.200 0014-222c-9d6a
1 Ethernet1/0/2 14 D
192.168.0.45 000d-88f6-44c1
1 Ethernet1/0/2 15 D
192.168.0.110 0011-4301-991e
1 Ethernet1/0/2 15 D
192.168.0.32 0000-e8f5-73ee
1 Ethernet1/0/2 16 D
192.168.0.3 0014-222c-aa69
1 Ethernet1/0/2 16 D
192.168.0.17 000d-88f6-379c
1 Ethernet1/0/2 17 D
192.168.0.115 000d-88f7-9f7d
1 Ethernet1/0/2 18 D
192.168.0.43 000c-760a-172d
1 Ethernet1/0/2 18 D
192.168.0.33 000d-88f6-44ba
1 Ethernet1/0/2 20 D
192.168.0.35 000f-e20f-2181
1 Ethernet1/0/2 20 D
192.168.0.5 000f-3d80-2b38
1 Ethernet1/0/2 20 D
--- 14 entries found ---
Table 1-1 Description on the fields of
the display arp command
|
Field
|
Description
|
|
IP Address
|
IP address contained in an ARP entry
|
|
MAC Address
|
MAC address contained in an ARP entry
|
|
VLAN ID
|
ID of the VLAN which an ARP entry corresponds
to
|
|
Port Name / AL ID
|
Port which an ARP entry corresponds to
|
|
Aging
|
Aging time (in minutes) of an ARP entry
N/A is displayed for static ARP entries.
|
|
Type
|
Type of an ARP entry: D for dynamic, and S
for static.
|
1.1.13 display arp |
Syntax
display arp
[ dynamic | static] | { begin | exclude | include
} regular-expression
View
Any view
Parameters
dynamic:
Displays dynamic ARP entries.
static:
Displays static ARP entries.
|: Uses a
regular expression to specify the ARP entries to be displayed. For detailed
information about regular expressions, refer to Configuration File
Management Command in this manual.
begin:
Displays the first ARP entry containing the specified string and all subsequent
ARP entries.
exclude:
Displays the ARP entries that do not contain the specified string.
include:
Displays the ARP entries containing the specified string.
regular-expression: A case-sensitive character string.
Description
Use the display arp | command to
display the ARP entries related to string in a specified way.
Related commands: arp static, reset
arp.
Examples
# Display all the ARP entries that contain
the string 77.
<Sysname>
display arp | include 77
Type: S-Static
D-Dynamic
IP Address MAC Address VLAN
ID Port Name / AL ID Aging Type
192.168.0.77 0000-e8f5-6a4a
1 Ethernet1/0/2 12 D
--- 1 entry found ---
# Display all the ARP entries that do not
contain the string 68.
<Sysname> display arp | exclude
68
Type: S-Static
D-Dynamic
IP Address MAC Address VLAN
ID Port Name / AL ID Aging Type
10.2.72.162 000a-000a-0aaa
N/A N/A N/A S
--- 1 entry found ---
Refer to Table 1-1 for the description on the above
output information.
Syntax
display arp count
[ [ dynamic | static ] [ | { begin | exclude
| include } regular-expression ] | ip-address ]
View
Any view
Parameters
dynamic:
Counts the dynamic ARP entries.
static:
Counts the static ARP entries.
|: Uses a
regular expression as the match criterion. For detailed information about
regular expressions, refer to Configuration File Management Command in
this manual.
begin:
Displays the number of ARP entries counted from the first one containing the
specified string.
exclude:
Displays the number of ARP entries that do not contain the specified string.
include:
Displays the number of ARP entries containing the specified string.
regular-expression: A case-sensitive character string.
ip-address:
IP address. The ARP entries containing the IP address are to be displayed.
Description
Use the display arp count command to
display the number of the specified ARP entries. If no parameter is specified,
the total number of ARP entries is displayed.
Related commands: arp static, reset
arp.
Examples
# Display the total number of ARP entries.
<Sysname> display arp count
14 entries found
Syntax
display arp detection statistics
interface interface-type interface-number
View
Any view
Parameters
interface-type interface-number: Type and number of a port.
Description
Use the display arp detection statistics
interface command to display the statistics of ARP attack detection state, ARP
trusted port state, and discarded invalid ARP packets ( those failed to pass ARP
attack detection) on the specified port.
If ARP attack detection is disabled, the
statistics of ARP trusted port state and discarded invalid ARP packets will not
be displayed.
Examples
# Display ARP detection statistics on Ethernet
1/0/10.
<Sysname> display arp detection
statistics interface ethernet1/0/10
ARP DETECTION : ENABLE
ARP PORT TRUST : DISABLE
INVALID ARP PACKETS : 31
Table 1-2 Description on the fields of
the display arp detection statistics interface command
|
Field
|
Description
|
|
ARP DETECTION
|
ARP attack detection state: enabled/disabled
|
|
ARP PORT TRUST
|
ARP trusted port state: enabled/disabled
|
|
INVALID ARP PACKETS
|
Number of discarded invalid ARP packets (those
failed to pass ARP attack detection)
|
Syntax
display arp timer aging
View
Any view
Parameters
None
Description
Use the display arp timer aging
command to display the setting of the ARP aging time.
Related commands: arp timer aging.
Examples
# Display the setting of the ARP aging
time.
<Sysname> display arp timer
aging
Current ARP aging time is 20
minute(s)(default)
The displayed information shows that the
ARP aging time is set to 20 minutes.
Syntax
gratuitous-arp-learning enable
undo gratuitous-arp-learning enable
View
System view
Parameters
None
Description
Use the gratuitous-arp-learning enable
command to enable the gratuitous ARP packet learning function. Then, a switch
receiving a gratuitous ARP packet can add the IP and MAC addresses carried in
the packet to its own dynamic ARP table if it finds no corresponding ARP entry
for the ARP packet in the cache.
Use the undo gratuitous-arp-learning
enable command to disable the gratuitous ARP packet learning function.
By default, the gratuitous ARP packet
learning function is disabled.
Examples
# Enable the gratuitous ARP packet learning
function on a switch.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] gratuitous-arp-learning
enable
Syntax
reset arp
[ dynamic | static | interface interface-type
interface-number ]
View
User view
Parameters
dynamic:
Clears dynamic ARP entries.
static:
Clears static ARP entries.
interface interface-type
interface-number: Clears ARP entries of the specified port.
Description
Use the reset arp command to clear specific
ARP entries.
Related commands: arp static, display
arp.
Examples
# Clear static ARP entries.
<Sysname> reset arp static
